From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IPFire 2.29 - Core Update 185 is available for testing Date: Tue, 26 Mar 2024 11:45:17 +0000 Message-ID: <7F15B4DB-9BA3-4147-A03E-655F6716354A@ipfire.org> In-Reply-To: <9bcf2953-8bdd-4f4a-9c01-08a1bbdb5a80@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0313545933027600262==" List-Id: --===============0313545933027600262== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 26 Mar 2024, at 11:37, Adolf Belka wrote: >=20 > Hi, >=20 > On 26/03/2024 11:55, Michael Tremer wrote: >> Hello everyone, >> I am not entirely sure what corner-case we are talking about here, but I r= an the code twice on a test system to see if it actually does what it is supp= osed to do. I felt it did. > If I ran the code myself on my vm system, it did the right things. It was w= hen I ran the CU185 update that it went wrong but I couldn't come up with any= idea for why. >=20 >> But is it pretty? Not quite, so let=E2=80=99s dive into a little bit of sh= ell :) > Well I am definitely not an expert at bash. Whenever I want to do something= I always have to search on the internet so that might cause me to have ugly = code. I try and learn as I go along, if I can remember. That is why I thought I would give a little bit of feedback. I think sometime= s a problem is easier than it feels. And after all, the code that you proposed does work. There is nothing wrong w= ith that in that regard. >>> On 25 Mar 2024, at 16:29, Adolf Belka wrote: >>>=20 >>> Hi Nick, >>>=20 >>> On 25/03/2024 16:49, Nick Howitt wrote: >>>> I don't have the answer to why it is adding the lines, but can I ask if = this scriptlet is safe? >>>>=20 >>>> If you have one line and not the other in the file you will end up with = three lines, the original plus two new. Also, if someone has preffed the line= s off, they will gain two lines preffed on. >>>>=20 >>> Good point. If the lines are present with =3Don or =3Doff then the option= s have been saved and the update code would not be needed. >>>> Perhaps it is safer to run the tests independently, just checking for ^L= OGDROPHOSTILEIN=3D and ^LOGDROPHOSTILEOUT=3D >>>>=20 >>>> if ! grep "^LOGDROPHOSTILEIN=3D" /var/ipfire/optionsfw/settings; then >>>> sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/settings >>>> /usr/local/bin/firewallctrl >>>> fi >>>> if ! grep "^LOGDROPHOSTILEOUT=3D" /var/ipfire/optionsfw/settings; then >>>> sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings >>>> /usr/local/bin/firewallctrl >>>> fi >>>>=20 >> This is probably the cleanest version that we have seen here. >> Formerly the if statement looked like this: >>>>> if ! [ $(grep "LOGDROPHOSTILEIN=3Don" /var/ipfire/optionsfw/settings) ] >> This will run a sub shell $(=E2=80=A6) with grep in it which is not necess= ary since if alone can determine the exit code of a command. >>>> if ! grep "^LOGDROPHOSTILEIN=3D" /var/ipfire/optionsfw/settings; then >> So this eliminates the sub shell, a couple of brackets and dollar signs an= d is a lot easier to read. > The [] brackets were something I read some time ago that I should have in p= lace when I did my original internet searching so have always used them in ot= her places in IPFire. > Happy to be corrected and change to this approach. [ is actually a command. It is somewhere in /usr/bin or /bin and a shortcut t= o =E2=80=9Ctest=E2=80=9D: https://www.man7.org/linux/man-pages/man1/test.1.html >>>> sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings >> This could have simply been an echo: >> echo "LOGDROPHOSTILEOUT=3Don=E2=80=9D >> /var/ipfire/optionsfw/settings >> That would even be executed by the shell without forking any subprocesses = and therefore be the fastest option. Not very important if there is only two = strings to write, but sometimes there are loops that are being called thousan= ds of times=E2=80=A6 You are going to save a lot of time and will also have e= asier code to read. >=20 > The search I did gave examples of sed, grep, awk but not echo. > It does seem easier when you point it out. > Will also change to that. No need this time. >> Reloading the firewall once would have been fine for me, even if there hav= e been no changes whatsoever. >>> I will look at making that update. >>> The only problem is I can't easily test that it solves the problem I have= found from the update as the original script does not cause the same result = when I manually run it. >>>=20 >>> However, definitely want to change the script anyway to make sure that I = don't end up with both =3Don and =3Doff fore the same setting which might occ= ur if someone has already adjusted their preferences. >>>=20 >>> I will probably have to submit a patch for the modification and then test= it in the CU185 Testing release when it is updated. >> Thank you. I will merge it shortly. > You have merged my v2 example but it still had the square brackets and the = subshell and the sed etc. >=20 > Should I do an update to the v2 version to get rid of the square brackets e= tc as discussed above. I think we can leave it. This will waste 10ms of time when running the update= which really isn=E2=80=99t an issue whatsoever :) -Michael >=20 > Adolf. >> -Michael >>>=20 >>> Regards, >>> Adolf. >>>> It does, however, cost another firewall restart, which could be evaded w= ith a few more lines of script. >>>>=20 >>>> Regards, >>>>=20 >>>> Nick >>>>=20 >>>> On 25/03/2024 15:02, Adolf Belka wrote: >>>>>=20 >>>>> Hi All, >>>>>=20 >>>>> I am having difficulty understanding something that is happening with t= he Core Update to 185. >>>>>=20 >>>>> I added the following code into the update.sh script >>>>>=20 >>>>> # Check if the drop hostile in and out logging options need to be added >>>>> # into the optionsfw settings file and apply to firewall >>>>> if ! [ $(grep "LOGDROPHOSTILEIN=3Don" /var/ipfire/optionsfw/settings) ]= && \ >>>>> ! [ $(grep "LOGDROPHOSTILEOUT=3Don" /var/ipfire/optionsfw/settings)= ]; then >>>>> sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/setti= ngs >>>>> sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/sett= ings >>>>> /usr/local/bin/firewallctrl >>>>> fi >>>>>=20 >>>>> If I do an update with a Core Update 183 version that has the LOGDROPHO= STILEIN and LOGDROPHOSTILEOUT entries in optionsfw/settings missing then the = update adds in the two lines shown. So working correctly. >>>>>=20 >>>>> However if the Core Update 183 has the two entries already in the optio= nsfw/settings file then the above code ends up with two more copies of each p= ut into the file as following. >>>>>=20 >>>>> FWPOLICY=3DDROP >>>>> SHOWTABLES=3Don >>>>> DROPPROXY=3Doff >>>>> LOGDROPHOSTILEIN=3Don >>>>> LOGDROPHOSTILEOUT=3Don >>>>> LOGDROPHOSTILEIN=3Don >>>>> LOGDROPHOSTILEOUT=3Don >>>>>=20 >>>>> However if I take a vm with optionsfw/settings containing the two entri= es already and run the update code shown above manually via a script on the v= m then it does not add any extra lines in. If the vm has the two entries miss= ing and I run the script manually then it adds in one entry for each. >>>>>=20 >>>>> So I do not understand at all why the code I put into the update.sh file >>>>>=20 >>>>> 1) Does not recognise that the entries already exist in the settings fi= le. >>>>> 2) Then prints the entries twice. >>>>>=20 >>>>> when it is run in the update.sh via an upgrade. >>>>>=20 >>>>> Any help with understanding what is going wrong with the code I wrote w= ould be very much appreciated. >>>>>=20 >>>>> Regards, >>>>> Adolf. >>>>>=20 >>>>> On 25/03/2024 10:15, IPFire Project wrote: >>>>>> This update is another testing version for IPFire: It comes with the b= rand release of the IPFire IPS, a number of bug fixes across the entire syste= m and a good amount of package updates. Test it while it's still hot! >>>>>> =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C = =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80=8C =E2=80= =8C =E2=80=8C =E2=80=8C =E2=80=8C >>>>>>=20 >>>>>>=20 >>>>>> IPFire_ >>>>>>=20 >>>>>>=20 >>>>>> IPFire 2.29 - Core Update 185 is available for testing >>>>>>=20 >>>>>> This update is another testing version for IPFire: It comes with the b= rand release of the IPFire IPS, a number of bug fixes across the entire syste= m and a good amount of package updates. Test it while it's still hot! >>>>>>=20 >>>>>> Read The Full Post On Our Blog >>>>>>=20 >>>>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstra=C3=9Fe 8= , 45711 Datteln, Germany >>>>>>=20 >>>>>> Unsubscribe >>>>>>=20 >>>=20 >>> --=20 >>> Sent from my laptop --===============0313545933027600262==--